Description:
A vulnerability was reported in JBoss. A remote authenticated user can gain access to the target application.

When configured to use JaccAuthorizationRealm, the WebPermissionMapping class creates permissions that are not checked. If the 'ignoreBaseDecision' property is set to true on JBossWebRealm, a remote authenticated user can access the target application without having the proper role assigned in the application's web.xml <security-constraint> tag.

Impact:
A remote authenticated user can gain access to the target application.

Solution:
The vendor has issued a fix (EAP 6.0.0, and other versions).